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Abstract 

We reprove a result of Boppana and Lagarias: If Yl^ + 1^ then there exists a partial function / that is 
' computable by a polynomial-size family of circuits, but no inverse of / is computable by a polynomial-size 

family of circuits. We strengthen this result by showing that there exist length-preserving total functions 
QJ ■ that are one-way by circuit size and that are computable in uniform polynomial time. We also prove, if 

Ilj + that there exist polynomially balanced total surjective functions that are one-way by circuit size; 
■^J- ' here non-uniformity is used. 

(N 
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1 Introduction 

The difficulty of inversion (i.e., given / and y, find any x such that f(x) - y) is a fundamental topic in com- 
putational complexity and in cryptography. The question whether NP is different from P can be formulated 
as a question about the difficulty of inversion, namely, P + NP iff there exists a one-way function based on 
polynomial-time ( iflTTl . Il8l pp. 32-43, @ pp. 1 19-125). A function / is said to be one-way based on polynomial 
time iff / is polynomial-time computable (by a deterministic Turing machine) but no inverse function /' of / is 
£T) • polynomial-time computable. An inverse of / is any function /' that / o /' o / = /. In this paper we consider 

one-way functions based on (non-uniform) families of circuits of polynomial size. Boppana and Lagarias Q 
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(by using the Karp-Lipton theorem [9]) proved that if fl^ + then there exists a partial function / that can 
be computed by a non-uniform family of circuits of polynomial size, but no inverse /' of / can be computed 
by a non-uniform family of circuits of polynomial size. We show that this result still holds when / is a total 
surjective and polynomially balanced function, or when / is length-preserving and uniformly computable in 
^ ■ polynomial time (but non-uniformity is allowed for the inverses). 

By "circuit" we mean a digital circuit made of boolean gates, whose underlying directed graph is acyclic 
|[T6l . More precisely, a circuit C with m input vertices and n output vertices, consists of two parts. First, C has 
an acyclic directed graph (with vertex set V and edge set E); we assume that the set of vertices V has a total 
order (i.e., V is not just a set but a sequence). Second, C has a gate map 

gate: veV i — > gate(v) e {and, or, not, fork, ini, in m , outi, out,,} 
which assigns a gate gate(v) to each vertex v. The gates and, or, and not are the traditional boolean operations. 
The gates and and or have domain {0, 1} x {0, 1}, so a vertex labeled by such a gate has in-degree 2; not has 
domain {0, 1}, so a vertex labeled by not has in-degree 1; all three operations have codomain {0, 1), so the vertex 
has out-degree 1. The gate fork : x e {0, 1} h-> (x, x) e {0, 1} x {0, 1} is also called the fan-out operation; the 
corresponding vertex has in-degree 1 and out-degree 2. Input vertices are mapped to in i , . . . , in m ; they have in- 
degree and out-degree 1. Output vertices are mapped to outi, . . . , out„; they have in-degree 1 and out-degree 
0. The gate map is injective on the union of the set of input vertices and the set of output vertices. 

The size (or complexity) of a circuit C, denoted |C|, is defined to be the number edges (i.e., wire links) 
plus the number of vertices. Thus |C| is always at least as large as the number of input vertices, plus the 
number of output vertices. A circuit C with m input vertices and n output vertices has an input-output function 
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(xi, . . . ,x m ) G {0, l} m i — > (yi, . . .,y n ) e {0, 1}" that we denote by C(.)- The image set of C, i.e. the set all 
actual outputs, is denoted by im(C) (c {0, 1}"). 

Let A be a finite alphabet; when we talk about circuits we always assume that A = {0, 1}. 

Definition 1.1 A function f : A* — > A* is called length-equality preserving iff for all X\,%2 £ A*, \x\\ = \xz\ 
implies \f(xi)\ = \f(x2)\. Equivalently, for every m there exists n such that f(A' n ) c A". 
A special case consists of the length-preserving functions, satisfying \f(x)\ = \x\. 

Definition 1.2 A function f : A* — > A* is called polynomially balanced iff there exist polynomials p\{.) and 
P2(.) such that for all inputs x e A* : \f(x)\ < pi(\x\) and \x\ < pz(\f(x)\). 
A special case is, again, the length-preserving functions. 

Definition 1.3 A length-equality preserving function f : {0, 1}* — > {0, 1}* is said to be computed by a family 
of circuits C - {C m :meN) iff far all m e N and all x e {0, 1 } m , f(x) = C(x). (We do not make any uniformity 
assumptions for C.J 

This family is said to be (^/polynomial size iff there is a polynomial p(.) such that for all m : \C m \ < p(m). 

In general, a family of circuits C = (C,- : i e N} could contain any number of circuits C, with the same number 
of input vertices; then C does not compute a function. 

Computational one-wayness can be defined in many (non-equivalent) ways. We will use the following 
definition, related to worst-case circuit complexity (we are not considering cryptographic one-way functions 
here). 

Definition 1.4 A length-equality preserving function f : {0, 1}* — » {0, 1}* is one-way by circuit size iff 

• / is polynomially balanced, 

• f is computable by a polynomial-size family of circuits, but 

• no inverse function f of f is computable by a polynomial- size family of circuits. 

Intuitively, one-wayness based on circuit size should be stronger than one-wayness based on uniform compu- 
tational complexity. Indeed, in the former, not only is it difficult to find any inverse /' of /, but the circuits for 
the inverses /' are all very large. Definition [L4] can also be adapted to a family of circuits, by itself. 

Definition 1.5 A family of circuits C = {C, : i e N} is one-way by circuit size iff for every polynomial p(.) 
there is no family of circuits C = {C ( ' : i e N) such that for all i, Cj o C- o Cj(.) = C,(.) and \C'.\ < p(\Ci\). 

Before dealing with one-wayness we characterize the complexity of the injectiveness problem and of the 
surjectiveness problem for circuits. Injectiveness is equivalent to the existence of left inverses, and surjective- 
ness is equivalent to the existence of right inverses. After that we consider general inverses. 

2 Injectiveness and surjectiveness 

The equivalence problem for circuits takes two circuits C\, C2 as input, and asks whether C\(.) = C2O). It 
is well known that this problem is coNP-complete (5j[8l. A related problem is the following, where for any 
set 5 we denote the identity function on S by ids ■ m the identity problem, for a given circuit C the question 
is whether C(.) = id(o,i)" - In the injectiveness problem the question is whether C(.) is injective. The identity 
problem is a special case of both the equivalence problem and the injectiveness problem. 

Proposition 2.1 The injectiveness problem and the identity problem for circuits are coNP -complete. 
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Proof (this is Theorem 6.5 in [1], reproved here purely in the context of circuits). It is easy to see that 
the injectiveness problem and the identity problem are in coNP. To show hardness we reduce the tautology 
problem for boolean formulas to the injectiveness problem and to the identity problem for circuits, as follows. 
Let B be any boolean formula with n variables. We define a new boolean function Fb '■ {0, 1}" +1 — > {0, 1}" +1 by 



Let us check that the following three properties are equivalent: (1) B is a tautology, (2) Fb is injective, and 
(3) F B = id {0)1}n+ i. 

When B(a"i, . . . ,x n ) = 1 then Fb(x\, . . . , x n , x n+ i) = (xt, . . . ,x n , x n +i). So, if B is a tautology then Fb is the 
identity function on {0, 1}" +1 (which also implies that Fb is injective). 

If Bis a not a tautology then B{c\, . . . , c n ) - for some (c\, . . , , c n ) e {0, 1}". It follows that Fb(c\, ...,c„,0) 
= (1, . . . , 1, 1). But we also have . . . , 1, 1) = (1, . . . , 1, 1), since here x n+ \ = 1. Hence, Fb is not injective 
(and hence not the identity function). □. 

The surjectiveness problem for circuits takes a circuit C as input, and asks whether C(.) is surjective. Let njj 1 
denote the V3-class at level 2 in the polynomial hierarchy OIH; similarly, 1% denotes the BV-class. Theorem 
!2.2l below is very similar to Theorem 5.9 in [ 1] about the surjectiveness problem for elements of the Thompson- 
Higman monoid But there are technical differences between circuits and elements of so we give a 
separate proof for circuits here. 

Theorem 2.2 The surjectiveness problem for circuits is Tl^-complete. 

Proof. The definition of surjectiveness shows that the surjectiveness problem is in . Indeed, C(.) is surjective 
iff (Vy e {0, l}")(3;c e {0, 1}'") [C(x) = y]. This is a IT^-formula, since n,m < |C|, and since the property 
C(x) = y can be checked deterministically in polynomial time when x, y, and C are given. 

Let us prove hardness by reducing VBSat (the VB-satisfiability problem) to the surjectiveness problem for 
circuits. Let B(x,y) be any boolean formula where x is a sequence of m boolean variables, and y is a sequence 
of n boolean variables. The problem VBSat asks on input Vj3x B(x, y) whether this sentence is true. It is well 
known that VBSat is n^-complete JUO. We map the formula B to the circuit Cb with input-output function 
denned by 



Equivalently, 

C B (x,y,y„+i) = Oi V (B(x,y)Vy n+ i), ... , y n V (B(x,y) V y n +\), y n +\ V B(x,y)) . 
Hence one can easily construct a circuit for Cb from the formula B(x, y). By the definition of Cb , 

im(C B ) = {(y,0) : 3xB(x,y)} U {(y, 1) : y € {0, 1}"} ( U {(1*. 1)}) . 
Since (1", 1) £ {(y, 1) : y € {0, 1}"}, the term {(1", 1)} (which may or may not be present) is irrelevant. Hence, 

im(C B ) = {0, lfl U {.ye{0, 1}" : 3xB(x,y)}0 . 
Therefore, Vy3xB(x,y) is true iff im(C B ) = {0, 1}"1 U {0, 1}"0, i.e., iff C B is surjective. □ 

For a partial function / : X — > Y it is a well-known fact that / is surjective iff / has a right inverse. By 
definition, a partial function g : Y — > X is called a right inverse of / iff / o g(.) - idy. For circuits we have: 
A circuit C (with m input wires and n output wires) is surjective iff there exists a circuit C (with n input wires 
and m output wires) such that C o C'(.) = id{o,i}" - 

Theorem 2.3 If there exists a polynomial p{.) such that every surjective circuit C has a right inverse C of size 
\C'\ < p(\C\), then = 2^ . 
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Proof. If such a polynomial p(.) exists then the surjectiveness of C is characterized by 

C is surjective iff (5C, \C'\ < p(\C\))(Vx e {0, l} m ) [C o C'(jc) = *]. 

This is a Ej-formula since the quantified variables are polynomially bounded in terms of \C\, and the relation 
C o C'(x) = x can be checked deterministically in polynomial time when C, C and x are given. This implies 
that the surjectiveness problem is in E^. But since we already proved that the surjectiveness problem is Il 2 - 
complete, this implies that Il 2 £ ~L 2 . Hence, ll 2 = 1, 2 . □ 

3 General inverses 

The general concept of an inverse goes back to Moore Ifl2l (Moore-Penrose pseudo-inverse of a matrix), and 
von Neumann [ 13 ] (regular rings). For a partial function / : X — > Y, the domain of / is denoted by dom(/) 
(Q X), and the image (or range) is denoted by im(/) (c Y). A partial function / : X — > Y is called total iff 
dom(/) = X. When we just say "function" we mean a total function. 

Definition 3.1 For a partial function F : X — > Y an inverse (also called a semi-inverse ) of F is any partial 
function F' : Y — » X such that F o F' o F = F. If both F o F' o F = F and F' o F o F' = F' hold then F' is a 
mutual inverse ofF, and F is a mutual inverse ofF'. 

The following facts about inverses are well known and straightforward to prove. For any two partial functions 
F : X -» Y and F' : Y -» X we have: 

• F o F' o F = F iff (F o F')im(F) = idim(F) » where (.)im(F) denotes the restriction to im(F). 

• If F' is a semi-inverse of F then im(F) c dom(F'); i.e., F'(y) is defined for ally e im(F). 

• TfF' « a semi-inverse of F then F- m ^ is injective. 

• IfF' is a semi-inverse ofF then F' o F o F' is a mutual inverse ofF. 

• Every partial function F has at least one semi-inverse. More specifically, F has at least one semi-inverse FJ 
that is total (i.e., dom(Fj) = Y), and at least one semi-inverse F' 2 that is injective and whose domain is im(F). 

For infinite sets the last fact requires the axiom of choice. The following two Lemmas are also straightfor- 
ward. 

Lemma 3.2 F' is a right inverse of F iff F' is a total and injective mutual inverse ofF. □ 

Lemma 3.3 For a partial function F : X — > Y the following are equivalent: 

(1) F is surjective; 

(2) F has a right inverse; 

(3) F has a mutual inverse F' that is total and injective; 

(4) every semi-inverse F' of F is total and injective; 

(5) every semi-inverse F' of F is total. □ 

We can now reformulate Theorem l2.3l in terms of inverses. 

Theorem 3.4 If there exists a polynomial p(.) such that every circuit C has a semi-inverse C of size \C'\ < 
p(\C\), then Ul = . 

Proof. If such a p(.) exists then every circuit C has an inverse C of size \C'\ < p(\C\), and hence every C has a 
mutual inverse C' 2 = C o C o C' of size \C'A < 2 ■ p(\C\) + \C\. Let q(n) = 2 ■ p(n) + n, which is also a polynomial. 

Let us now consider the special case where C is surjective. Then by Lemma [331 1 => 4), C' 2 is total and 
injective. Then by Lemma [3721 since C' 2 is a mutual inverse, C' 2 is a right inverse of C. Now Theorem 12.3 1 (for 
the polynomial q{.)) implies that fl^ = 1, 2 . □ 
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Theorem 13.41 is not new; it follows immediately from a result by Boppana and Lagarias (Theorem 2.1a in El), 
combined with the Karp-Lipton Theorem HUMID. 

The proof of Theorem 13.41 also applies to surjective functions (while the methods in EJ do not seem to): 

Corollary 3.5 If there exists a polynomial p(.) such that every surjective circuit C has a semi-inverse C of 
size |C'| < p(\C\), then IT? - X P . □ 

Theorems |2.3[|3.4| and Coroll. [3751 show that the family of all circuits and the family of all surjective circuits are 
one-way by circuit-size. 

4 One-way functions, if IT^ + 

We will use the above results to construct two types of functions that are one-way by circuit-size. 
4.1 A surjective non- uniform one-way function 

The papers [6] and [4] discuss the existence of surjective one-way functions, based on uniform polynomial time 
complexity. In the uniform case (with uniformity for both / and /'), it is known that P + NP n coNP implies 
the existence of one-way functions (attributed to [3 ] in the Introduction of (H). Here we give an existence result 
for surjective one-way functions with respect to non-uniform polynomial time, i.e., circuit size. 

For a circuit C we will denote the number of input vertices by mc or m, and the number of output wires 
by nc or n. An identity wire in a circuit is an edge (x/,y 7 ) that directly connects an input vertex xi to an output 
vertex yfi so x\ and yj have the same value. To add an identity wire means to create a new input vertex, a new 
output vertex, and an edge between them. 

Lemma 4.1 Suppose Cq is obtained from C by adding identity wires. Then Co is surjective iffC is surjective. 

Proof. Let j be the number of identity wires added. So, im(Co) = im(C) x {0, l} 7 . Then C is surjective iff 
im(C) - {0, 1}" iff im(Co) - {0, 1}" x {0, 1H = {0, \} n+ i iff C is surjective. □ 

Proposition 4.2 Theorem \2.3\ and Corollary \J3\ still hold when one only considers surjective circuits C that 
satisfy m < j \C\ < In. The same holds if one considers only surjective circuits that satisfy In < m < |C| < 6n. 

Proof. From any circuit C one can construct a circuit C\ by adding \C\ identity wires. Then C is surjective iff 
C\ is surjective (by Lemma |4~TT ). An identity wire has two vertices and one edge, so the resulting circuit C\ has 
size |Ci| = 4 \C\. For the number of input vertices and output vertices we have m\ = m + |C|, and n\ = n + \C\. 
Since m < \C\, it follows that m x <\ \C\\. Also, |Ci| = A(n\ -n) < An\. 

The circuit C\ satisfies 2n\ > mi (since m\ < j \Ci\ < 2n\). Now 2n\ - m\ + 1 new input vertices can be 
added to C\, these vertices are not connected to anything and are not output vertices. Then the new circuit C2 
is surjective iff C\ is surjective. The new circuit C2 satisfies ni — n\, |C7 2 | - |Ci| + 2n\ - m\ + \ < \C\\ + 2n\ 
< \n\ + 2n\, and mi - 2n\ + 1 > 2«2- Hence, 2n-i < m-i < IC2I < 6«2- 

The circuits C\ and C2 can be constructed from C deterministically in polynomial time. Moreover, an 
inverse of C can be obtained in polynomial time from an inverse of C\, and vice versa. The same holds for C2. 
Hence, C has an inverse of size < p(\C\) (for some polynomial /?(.)) iff C,- has an inverse of size < Pi(\Cj\) 
(for some polynomial /?,(■)> i - L2). Since the existence of polynomial-size inverses for all surjective circuits 
C implies = (by Corollary I3.5I ). the existence of polynomial-size inverses for Ci or C2 also implies 

n 2 p = s 2 p - □ 

We saw in Lemma [331 that a function / : X — > Y is surjective iff every inverse of / is total and injective. 
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Theorem 4.3 For every polynomial p(.) consider the following set o/surjective circuits: 

C p = { C : 2nc < mc < \C\ < 6«c an d every inverse C of C satisfies \C'\ > p(\C\) ). 
1/^2 + ^2 then for every polynomial p{.) the set {nc : C € C^} (consisting of the output lengths of the circuits 
in C p ) is infinite. 

Proof. We assume + Then by Corollary 13.51 and Prop. 14.21 C p is not empty. For all C € C p we have 
2 nc < mc < \C\ < 6 «c- It follows that for any polynomial p(.) the four sets C p , {\C\ : C e C p ), {nc : C e C p |, 
and {mc : C e C p ] are all infinite iff one of them is infinite. Moreover, if a function is surjective then all its 
inverses are total and injective (Lemma [3. 3 1 >. Hence, C p is infinite iff the set [C : C is an inverse of some 
C e C p } is infinite, iff the set {|C'| : C is an inverse of some C € C p } is infinite. 

For two polynomials we write p2 > p\ when p2(n) > p\(n) for all n. If p2 > p\ then C P2 c C Pl ; hence for 
any polynomial po(.) we have U p > Po C p = C Po . For any polynomial po(.) the set 

{/?(|C|) : p(.) is a polynomial, p > po, and C e C p ) 
is infinite; indeed, the set of polynomials is infinite and each C p is non-empty. It follows that for any polynomial 
/?oC) the set {|C'| : C is an inverse of some C € C p , for some p > p ] is infinite, since \C'\ > p(\C\) when 
C e C /5 . Hence, for any po(-), C Po and {nc : C e C Po } are infinite. □ 

Theorem 4.4 If + 2^ then there exists a surjective total function f : {0, 1}* — » {0, 1}* which is polynomially 
balanced and length-equality preserving, and which satisfies: 

• f is computed by a non-uniform polynomial-size family of circuits, but 

• / has no inverse that can be computed by a non-uniform polynomial-size family of circuits. 

Proof. Consider an infinite sequence of polynomials p\ < pi < ... < Pk < ■ ■ ■ . with pk(x) > x k + k for all 
numbers x. Recall that C Pk = { C : 2nc < mc < \C\ < 6nc and every inverse C of C satisfies \C'\ > Pk(\C\) }. 
Let us abbreviate C Pk by C k . We saw that ... c C k Q ... £ C 2 £ C\. By Theorem 1431 if ± 5^ then C k 
and {|C| : C e Ck) are infinite for every k. We now construct an infinite set of circuits {Ck e C# : k e N}, where 
we abbreviate mc k and nc k by mk, respectively 
C\ is a smallest circuit in Ci ; 

Ck+\ is a smallest circuit in {C € Ck+i '■ \C\ > \Ck\, nc > 1 + nk and mc > 2mk} . 
Since C^+i is infinite (by Theorem 14. 3 K the circuit Ck+i exists. 
Claim: mk+i-mk > nk+\-nk > 1. 

Proof of the Claim: We have m^+i > Inik (by the choice of Ck+i), and mk+i > 2nk+i (since Ck+\ e Ck+i)- 
Hence, mk+\/2 > mk and mk+\/2 > n^+i- By adding these inequalities we obtain m^+i > mk + nk+i, hence 
mk+\ - mk > nk + i > nk+\ - nk. Also, the choice of nc > 1 + «/t implies nk+i - nk > 1. This proves the Claim. 

We define a total and surjective function F : {0, 1}* — » {0, 1}* as follows: 

(1) F{x) = C k (x) if \x\ - m k ; 

(2) F maps D k = U^IO, U" 1 onto R k = U^JO, If. 

In (1), F maps {0, l}" 1 * onto {0, l}" k for every k, since Q is surjective. In (2), Dk and Rk are non-empty, since 
m^+i - mk > nk+i - rik > 1 (by the Claim). To complete the definition of F, Dk can be mapped onto Rk in a 
length-equality preserving way, as follows: Since mk+\ - - 1 > rc^+i - - 1 and > n; (for all i), we can 
map {0, l} m * +i onto {0, for i - 1, ... , n k+1 - n k - 1 (< m^ +1 - m k - 1). Next, we map {j nk < m<mk J0, \} m 
onto {0, This way, F is onto and length-equality preserving. In more detail yet, when j > i we map 
{0, 1} ; onto {0, 1}' by (x\, . . . , Xu Xt+\,..., xj) h-> (xi, . . . , This way, F : Dk —> Rk consists of projections. 

Let us check that overall, F is polynomially balanced (in fact, input sizes and output sizes bound each other 
linearly): Indeed, F maps length m k to length nk, with m k < 6nk. Also, length m k + i is mapped to + i for 
1 < i < nk + \ - nk, with mk + i < 6nk + i. Finally, lengths between + n^+i - nk and m^+i - 1 are mapped to 
length fifc+i - 1, with m^+i - 1 < 6«/t + i - 1. 
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We see that F can be computed by a linear-size non-uniform family of circuits: For inputs of length (for 
some k) we use the circuits for the other inputs, F is a projection. 

Finally, let us check that no inverse F' of F is computable by a polynomial-size circuit family (if IT^ 1 ± EH- 
The set {Cu :ieN) that we constructed is infinite and £ hence any family (C, : & £ N) of circuits that 
computes an inverse F' will satisfy |C[| > |Cjt|* + & for all Since the set {n^ : k e N} is infinite, the restriction 
of F to U&£]n{0> l} mk — > U/teNfO'l}"* has no inverse with size bounded by a polynomial (of fixed degree). 
Thus F has no polynomial-size inverse. □ 

4.2 A uniform one-way function 

A result of Boppana and Lagarias O (combined with the Karp-Lipton theorem [9]) states that if ^ £ 2 tnen 
there exists a function / that is one-way in the sense that / computable by a polynomial-size family of circuits, 
but the inverses of / are not computable by any polynomial-size family of circuits. The one-way functions 
considered in O are not polynomially balanced; moreover, they are either not total or not length-equality 
preserving (in the terminology of 0, the output can be the single symbol #). Also, these one-way functions are 
based on the Karp-Lipton theorem, so they are (apparently) not computable in uniform polynomial time. We 
will now construct a length-preserving function / that can be computed uniformly in polynomial time, but no 
inverse f has a polynomial-size family of circuits. 

We can describe any circuit C by a bitstring code(C), i.e., there is a "Godel numbering" for circuits. Nat- 
urally there is also a decoding function decode(.) which is an inverse of code(.), i.e., decode(code(C)) = C. 
We can extend decode(.) to a total function, so any bitstring is decoded to a circuit. The encoding function 
code(.) is associated with an evaluation function ev such that 

ev(code(C), x) = C(x) for all x e {0, 1}'"-. 

Here we denote the length of the inputs of C by mc and the length of the outputs by nc- The functions code(.), 
decode(.), and ev(., .) can be constructed so that they have special properties. The existence and the main 
properties of ev(., .) and code(.) are well-known folklore, but we prove them here nevertheless because we will 
need detailed size and complexity estimates (items 3, 4, and 5 in the Proposition below). 

Proposition 4.5 Let C denote the set of all circuits. There exist functions 
code : C -> {0,1}*, 
decode : {0,1}* -> C, 
ev : {0, 1}* x {0, 1}* -> {0,1}*, such that 

(1) for allCeC: decode(code(C)) - C ; 

(2) for all c, x € {0, 1}* with \x\ = m^ecodeic) '■ ev(c, x) = [decode(c)](x) ; 
in particular, for all C e C, x e {0, l} mc : ev(code(C), x) = C(x) ; 

(3) for allC e C : |C| log 2 |C| < |code(C)| < 6 |C| log 2 \C\ ; 

(4) decode(.) and ev(., .) are total functions ; 

(5.1) the language im(code) = im(code o decode) c{0, 1}* belongs to P; 

(5.2) code o decode(.) : {0, 1}* — > {0, 1}* is polynomial-time computable and polynomially balanced; 

(5.3) ev(., .) is polynomial-time computable. 

Proof. We denote the sets of vertices and edges of C by V, respectively E. To construct the bitstring code(C) 
from a circuit C we first use a four-letter alphabet {a, b, c, d}. We label the vertices of the acyclic digraph of C 
injectively by strings over {a, b}, using binary numbering (with a = 0, b = 1), according to the order of V, from 
number through \V\ - 1. Each vertex is thus represented by a string in {a, b}* of length |"log 2 |VT|. In addition, 
each vertex is labeled by its gate type (namely and, or, not, fork, in i , . . . , in m , outi, . . . , out„), according to the 
gate map; strings over {c, d] of length [log 2 (4 + m + ri)~\ are used for these gate labels. As we alternate between 
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{a, b} and {c, d], no separator is needed. Thus we have a description of length \V\ (|~log 2 \ V\~\ + |"log 2 (4 + m + n)~\) 
for the list of vertices and their gate types. Each edge is described by a pair of vertex codes, separated by 
a letter c, and any two edges are separated by a letter d. Thus the list of edges is described by a string of 
length \E\ (2 + 2 riog 2 \V\]). So, |code(C)| = \V\ (riog 2 Ml + riog 2 (4 + m + n)J) + \E\ (2 + 2 Rog, |V|1). 
Hence |code(C)| > \ \C\ log 2 |C| (since \V\ 2 + \V\ > \E\ + \V\ = |C|), and |code(C)| < 3 |C| log 2 |C| (since 
|C| = \V\ + \E\). Turning code(C) into a bitstring (e.g., by encoding a,b,c,d as 00, 01, 10, 11, respectively) 
doubles the length. This completes the definition of code(.) and proves property (3). 

To define the function decode we first let decode(code(C)) = C. When c is not the code of any circuit, 
we let decode(c) be the largest identity circuit (i.e., computing the identity map on {0, l} m , for some m) with a 
code of length < \c\. This makes decode(.) a total function; property (1) also follows immediately. 

An evaluation function ev can now be defined, based on the above construction of code(.) and decode(.). 
For any (c, x) e {0, 1}* x {0, 1}*, let C = decode(c). If \x\ = m c then we define ev(c, x) = [decode(c)](;c). If 
\x\ + mc we define ev(c, x) = x. Properties (2) and (4) now hold. 

The definitions of code and decode make it easy to check whether a string c is an encoding of a circuit, 
and to decode c (or to generate an identity circuit if c is not a code). The inequalities in (3) imply that decode o 
code(.) is polynomially balanced. This shows properties (5.1) and (5.2). The definitions of code, decode, and 
ev make it easy to compute ev(c, x), so we have (5.3). The details are very similar to the proof that the circuit 
value problem is in P (see section 4.3 of [14]). □ 

The function ev is neither length-equality preserving nor polynomially balanced. 

Proposition 4.6 Let m and n denote, respectively, the number of input and output vertices of a circuit C. 
Theorem \3.4\ still holds when one only considers circuits C that satisfy \C\ < 1m and m = n (i.e., the 
function C(.) is length-preserving). 

Theorem \3.4\ also holds when one only considers circuits C with m = n and |code(C)| < 12 m log 2 (2m). 

Proof. From C one can construct a circuit C\ with equal numbers of input and output vertices. If m < n one 
adds n - m extra input vertices that are not connected to anything else in the circuit. If m > n one adds m — n 
new output vertices that carry the constant boolean value 0. A constant can be created by making two copies 
of the input x\ (by forking twice) and then taking x\ Ax~\(= 0); this uses 4 gates and 6 wires. Making m - n - 1 
more copies of uses m - n — 1 fork gates and 2(m - n — 1) more wires. Now m\ - n\ - max{n,m}, and 
|Ci| < |C| + 3 \m - n\ + 10 (where \m - n\ denotes the absolute value of m - n). Inverting C is equivalent to 
inverting C\. 

In any circuit C\ one can add |Ci| identity wires. An identity wire has two vertices and one edge, so the 
resulting circuit C 2 has size |C 2 | = 4|Ci|, and m 2 = m\ + 3|Ci| input vertices, and n% - n\ + 3\C\ \ output 
vertices. Hence, |C 2 | < m 2 + « 2 . Recall that circuit size is defined to be the number of vertices plus the number 
of edges in the circuit. If mi - n\ then m 2 - « 2 , and IC2I < 2m2. Since C\ and C2 differ only by identity wires, 
there is a one-to-one correspondence between inverses of C\ and of C2; an inverse for C2 can be obtained from 
an inverse of Ci by adding identity wires; an inverse for C\ can be obtained from an inverse of C2 by removing 
the extra identity wires. 

By Prop. 1431 C 2 also satisfies |code(C 2 )| < 6|C 2 | log 2 |C 2 |. We saw that |C 2 | < 2m 2 , hence |code(C 2 )| < 
12 m 2 log 2 (2m 2 ). 

The circuits C\ and C2 can be constructed from C deterministically in polynomial time. Moreover, an 
inverse of C can be obtained in polynomial time from an inverse of C\ or C2, and vice versa. Hence, C has 
an inverse of size < p(\C\) (for some polynomial p(.)) iff C,- has an inverse of size < pi(\C\) (for some 
polynomial /?,(■))> i - 1,2. Since the existence of polynomial-size inverses for all circuits C implies = £ 2 
(by Theorem 13.4b . the existence of polynomial-size inverses for circuits C, also implies = £ 2 . □ 

Based on Propositions I4.5l and 14.61 we now construct a function which is one-way by circuit size. We start 
with the function 
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ev circ : (c, x) i— » (c, [decode(c)](x)) 
which is just the pairing (n\, ev) of the first projection n\ : (xi,X2) i — > xi and the evaluation function ev. 
We saw that ev is a total function that can be computed deterministically in polynomial time, hence ev C j rc is 
also total and polynomial-time computable. Levin observed that ev C j rc is a complete or "universal" one-way 
function, for a certain definition of one-way functions and for certain reductions between functions (see [10], 
flU, 0, and ED). 

The function ev C j rc is polynomially balanced. Indeed, for any input X = (code(C), x) and output Y - 
(code(C), C(x)) of ev circ we have: \X\ - |code(C)| + \x\ < 2 (|code(C)| + |C(x)|) = 2 \Y\, and |F| = |code(C)| + 
\C(x)\ < 2 (|code(C)| + |x|) = 2 |X|, using the facts that \x\ < \C\, \C(x)\ < \C\, and |C| < |code(C)|. Also, if c 
is not the code of any circuit then ev C j rc (c, x) - (c, x), so length is preserved in that case. 

The function ev C j rc is not length-equality preserving, therefore we introduce a special evaluation function 
ev : {0, 1}* x {0, 1}* — > {0, 1}* x {0, 1}*, 

J (c, C(x)) if c - code(C), \c\ < 12 mc log 2 (2 mc), and \x\ = mc - nc , 
^ (c, x) otherwise. 

This definition makes ev length-preserving, hence it is also length-equality preserving and polynomially bal- 
anced. Clearly, ev is also uniformly computable in polynomial time. The definition was made in such a way 
that Prop. l4.6l can be applied. 

Lemma 4.7 If fl^ + 2^ then the special evaluation function ev a is one-way by circuit size. 

Proof. By contraposition, let us assume that ev has an inverse function ev' which is computed by a polynomial- 
size family of circuits E' = (E^ : i e N). So, there is a polynomial p{.) such that for all i, \E' { \ < p(i). The 
circuit E'. takes inputs of the form (c, y) e {0, 1}* x {0, 1}* with i = \c\ + \y\. Consider the case where c = code(C) 
for any circuit C such that mc - nc - \y\, and |c| < 12 mc log 2 (2mc). Then i = \c\ + nc - \c\ + mc- We let 
C = £"'(code(C), •) ; this is the circuit E'. with the c-input hardwired to the value code(C). Then the existence 
of an inverse C for every circuit C as in Prop. 14.61 implies -l^- a 

Lemma l4771 immediately implies: 

Theorem 4.8 If IT^ + then there exist length-preserving functions that are one-way by circuit size and 
computable uniformly in polynomial time. □ 
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